Computer Hacking Forensic Investigator (CHFI)
- 02 Aprile 2025
- Duration 24 weeks
- 01 June 2026
- Duration: 36 weeks
Uncover, analyze, and preserve digital evidence with CHFI — the global standard in cyber forensics and investigation
As an Authorized Training Center of EC-Council, we deliver official CHFI training and certification designed to prepare professionals for digital forensics, incident investigation, and cybercrime response
Key features & benefits
68 hands-on forensic labs with 70+ GB of crafted evidence files to simulate real-world investigations
600+ digital forensic tools covering malware, cloud, IoT, social media, mobile, and dark web forensics
Structured methodology: documenting crime scenes, evidence acquisition, preservation, analysis, and reporting
Compliance with global standards — ISO/IEC 17024, DoD 8570/8140, NICE 800-181, PCI DSS, SOX, HIPAA
For professionals: build job-ready DFIR skills, gain a globally recognized certification, and access high-demand roles
For businesses: strengthen incident response, reduce investigation costs, minimize regulatory risks, and ensure evidence is admissible in court
40% of training time dedicated to practical labs, bridging theory and real-world application
Developed by leading forensic experts, mapped to NICE job roles, and trusted by law enforcement, defense, and enterprise security teams worldwide
Course outline
Module 01
Computer forensics in today's world
Computer forensics in today's world
Fundamentals of computer forensics
Cybercrimes and their investigation procedures
Digital evidence and ediscovery
Forensic readiness
Role of various processes and technologies in computer forensics
Roles and responsibilities of a forensic investigator
Challenges faced in investigating cybercrimes
Standards and best practices related to computer forensics
Laws and legal compliance in computer forensics
Key topics covered: scope of computer forensics, types of cybercrimes, cyber attribution, cybercrime investigation, types and role of digital evidence, sources of potential evidence, federal rules of evidence (United States), forensic readiness and business continuity, incident response process flow, role of artificial intelligence in computer forensics, forensics automation and orchestration, roles and responsibilities of a forensics investigator, code of ethics, challenges cybercrimes pose to investigators, iso standards, and computer forensics and legal compliance.
Module 02
Computer forensics investigation process
Computer forensics investigation process
- Forensic investigation process and its importance
- First response
Pre-investigation phase - Investigation phase
- Post-investigation phase
Labs: create a hard disk image file for forensics investigation and recover the data
Key topics covered: phases involved in the computer forensics investigation process, first response, roles of first responder, first response: different situations, setting up a computer forensics lab, understanding hardware and software requirements of a forensics lab, building security content, scripts, tools, or methods to enhance forensic processes, documenting the electronic crime scene, search and seizure, evidence preservation, data acquisition, case analysis, reporting, and testifying as an expert witness
Module 03
Understanding hard disks and file systems
Understanding hard disks and file systems
- Disk drives and their characteristics
- Logical structure of a disk
- Booting process of windows, linux, and macos operating systems
- File systems of windows, linux, and macos operating systems
- File system analysis
- Storage systems
- Encoding standards and hex editors
- Analyze popular file formats
Labs: analyze file system of linux and windows evidence images and recover the deleted files. analyze file formats.
Key topics covered: hard disk drive, solid-state drive (ssd), disk interfaces, logical structure of disks, windows boot process, macos boot process, linux boot process, windows file systems, linux file systems, macos file systems, file system analysis, file system timeline creation and analysis, raid storage system, differences between nas and san, character encoding standards, hex editors, pdf file analysis, word file analysis, powerpoint file analysis, and excel file analysis.
Module 04
Data acquisition and duplication
Data acquisition and duplication
- Data acquisition
- Ediscovery
- Data acquisition methodology
- Preparing an image file for examination
Labs: create a forensics image for examination and convert it into various supportive formats for data acquisition.
Key topics covered: live acquisition, dead acquisition, data acquisition format, ediscovery collection methodologies, ediscovery tools, determine the data acquisition method, select data acquisition tool, sanitize target media, acquire volatile data, enable write protection on the evidence media, acquire non-volatile data, plan for contingency, validate data acquisition, preparing an image for examination and digital forensic imaging tools.
Module 05
Defeating anti-forensics techniques
Defeating anti-forensics techniques
- Anti-forensics techniques
- Data deletion and recycle bin forensics
- File carving techniques and ways to recover evidence from deleted partitions
- Password cracking/bypassing techniques
- Steganography, hidden data in file system structures, trail obfuscation, and file extension mismatch
- Techniques of artifact wiping, overwritten data/metadata detection, and encryption
- Program packers and footprint minimizing techniques
Labs: perform solid-state drive (ssd) file carving on windows and linux file systems. recover lost/deleted partitions and their contents. crack passwords of various applications. detect hidden data streams and unpack program packers.
Key topics covered: challenges to forensics from anti-forensics, anti-forensics techniques, data/file deletion, recycle bin in windows, file carving, recovering deleted partitions, password cracking tools, bypassing windows user password, steganography, alternate data streams, trail obfuscation, overwriting data/metadata, encryption, program packers, and anti-forensics techniques that minimize footprint.
Module 06
Windows forensics
Windows forensics
- Windows forensics
- Collect volatile information
- Collect non-volatile information
- Windows memory analysis
- Windows registry analysis
- Electron application analysis
- Web browser forensics
- Examine windows files and metadata
- Shellbags, lnk files, and jump lists
- Text-based logs and windows event logs
Labs: acquire and investigate ram and windows registry contents. examine forensic artifacts from web browsers. identify and extract forensic evidence from computers.
Key topics covered: windows forensics methodology, collecting volatile information, collecting non-volatile information, collecting windows domain information, examining compressed files, windows memory analysis, memory forensics, windows registry analysis, electron application forensics, web browser forensics, carving sqlite database files, windows file analysis, metadata investigation, windows shellbags, analyzing lnk files, analyzing jump lists, windows 11 event logs, and windows forensics tools.
Module 07
Linux and mac forensics
Linux and mac forensics
- Collect volatile information in linux
- Collect non-volatile information in linux
- Linux memory forensics
- Mac forensics
- Collect volatile information in mac
- Collect non-volatile information in mac
- Mac memory forensics and mac forensics tools
Labs: perform volatile and non-volatile data acquisition on linux and mac computers. perform memory forensics on a linux machine.
Key topics covered: collecting volatile information, collecting non-volatile information, linux memory forensics, mac forensics data, mac log files, mac directories, mac memory forensics, apfs analysis, parsing metadata on spotlight, and mac forensics tools.
Module 08
Network forensics
Network forensics
- Network forensics
- Event correlation
- Indicators of compromise (iocs) from network logs
- Investigate network traffic
- Incident detection and examination
- Wireless network forensics
- Detect and investigate wireless network attacks
Labs: identify and investigate network attacks. analyze network traffic for artifacts.
Key topics covered: postmortem and real-time analysis, types of network-based evidence, types of event correlation, event correlation approaches, analyzing firewall logs, analyzing ids logs, analyzing honeypot logs, analyzing router logs, analyzing dhcp logs, analyzing cisco switch logs, analyzing vpn logs, analyzing dns server logs, network log analysis tools, analyze traffic for network attacks, tools for investigating network traffic, siem solutions, examine network attacks, types of wireless evidence, wireless network forensics processes, detect rogue access points, analyze wireless packet captures, analyze wi-fi spectrum, and tools for investigating wireless network traffic.
Module 09
Malware forensics
Malware forensics
- Malware
- Malware forensics
- Static malware analysis
- Analyze suspicious documents
- System behavior analysis
- Network behavior analysis
- Ransomware analysis
Labs: perform static malware analysis. analyze a suspicious pdf file and microsoft office document. emotet malware analysis.
Key topics covered: different ways for malware to enter a system, components of malware, malware forensic artifacts, setting up a controlled malware analysis lab, malware analysis tools, types of malware analysis, static malware analysis, system behavior analysis, network behavior analysis, and ransomware analysis – blackcat (alphv).
Module 10
Investigating web attacks
Investigating web attacks
- Web application forensics
- Internet information services (iis) logs
- Apache web server logs
- Detect and investigate various attacks on web applications
Labs: identify and investigate web application attacks.
Key topics covered: indicators of a web attack, owasp top 10 application security risks – 2021, web attack investigation methodology, iis web server architecture, analyzing iis logs, iis log analysis tools, apache web server logs, apache access logs, apache error logs, apache log analysis tools, investigating cross-site scripting (xss) attack, investigating sql injection attack, investigating path/directory traversal attack, investigating command injection attack, investigating xml external entity (xxe) attack, and investigating brute-force attack.
Module 11
Dark web forensics
Dark web forensics
- Dark web and dark web forensics
- Identify the traces of tor browser during investigation
- Tor browser forensics
Labs: detect tor browser activity and examine ram dumps to discover tor browser artifacts.
Key topics covered: working with the tor browser, dark web forensics, identifying the tor browser artifacts, tor browser forensics, memory dump analysis, and forensic analysis of memory dumps to examine email artifacts.
Module 12
Cloud forensics
Cloud forensics
- Cloud computing
- Cloud forensics
- Amazon web services (aws) fundamentals
- Aws forensics
- Microsoft azure fundamentals
- Microsoft azure forensics
- Google cloud fundamentals
- Google cloud forensics
Labs: forensic acquisition and examination of an amazon ec2 instance, azure vm, and gcp vm.
Key topics covered: types of cloud computing services, separation of responsibilities in the cloud, owasp top 10 cloud security risks, uses of cloud forensics, data storage in aws, logs in aws, forensic acquisition of amazon ec2 instance, data storage in azure, logs in azure, forensic acquisition of vms in azure, data storage in google cloud, logs in google cloud, forensic acquisition of persistent disk volumes in gcp, investigating google cloud security incidents, investigating google cloud container security incidents, and investigating google cloud vm-based security incidents.
Module 13
Email and social media forensics
Email and social media forensics
- Email basics
- Email crime investigation and its steps
- U.s. laws against email crime
- Social media forensics
Labs: investigate a suspicious email to extract forensic evidence.
Key topics covered: components involved in email communication, parts of an email message, steps to investigate email crimes, u.s. laws against email crime, social media crimes, extracting footage from social media platforms, tracking social media user activities, constructing and analyzing social network graphs, and social media forensics tools.
Module 14
Mobile forensics
Mobile forensics
- Mobile device forensics
- Android and ios architecture and boot process
- Mobile forensics process
- Investigate cellular network data
- File system acquisition
- Phone locks, rooting, and jailbreaking of mobile devices
- Logical acquisition on mobile devices
- Physical acquisition of mobile devices
- Android and ios forensic analysis
Labs: examine an android image file and carve deleted files.
Key topics covered: mobile device forensics, owasp top 10 mobile risk, android os architecture, ios architecture, mobile forensics process, android forensics process, ios forensics process, cell site analysis, android file system, ios file system, bypassing locked android devices, accessing root files in android, jailbreaking of ios devices, logical acquisition, cloud data acquisition on android and ios devices, physical acquisition, jtag forensics, flasher boxes, static analysis and dynamic analysis of android package kit (apk), android log analysis tools, collecting whatsapp artifacts from android devices, analyzing ios safari artifacts, analyzing ios keychains, and ios forensic analysis.
Module 15
IoT forensics
IoT forensics
- IoT concepts
- IoT devices forensics
Key topics covered: IoT architecture, IoT security problems, owasp top 10 iot threats, IoT forensics process, IoT forensics challenges, wearable IoT device: smartwatch, and IoT device forensics: smart speaker—amazon echo, hardware level analysis: jtag and chip-off forensics, extracting and analyzing data from drone/uavs, and iot forensics tools
Our partners & vendors
Ready to grow your cybersecurity team?
Training prerequisites
Core knowledge
Basic understanding of computer networks, operating systems, and cybersecurity concepts
Familiarity with digital evidence and its role in investigations
Technical skills
Ability to work with common forensic tools (e.g., FTK Imager, Autopsy, EnCase, X-Ways)
Understanding of file systems (Windows, Linux, macOS) and how data is stored
Familiarity with concepts of disk imaging, memory capture, and log analysis
OS & tools
Confident using Windows, Linux, or macOS environments
Able to install and run command-line forensic utilities
Understanding of virtual machines and cloud platforms for forensic labs
Basic knowledge of scripting (e.g., Python, PowerShell, or Bash) is an advantage
Training & register details
TRAINING OVERVIEW
Computer Hacking Forensic Investigator (CHFI)
Uncover, analyze, and present digital evidence with industry-leading forensic investigation training
Training Duration: 5 days (40 hours)
Format: Instructor-Led Online
Level: Intermediate
Language: Ukrainian
Materials: English | 12 months valid
Labs: 24/7 180 days access
Exam Attempts: 1 offline
HOW TO REGISTER
1. Submit your application
Submit a quick application to let us know you’re interested in the course.
2. Intro call
We’ll schedule a short call to learn more about your goals and expectations.
3. Confirm your spot
Get accepted and complete the paperwork. We’ll send you all the info you need.
4. Start learning
Access your learning platform and get familiar with the materials.
5. Join the community
Get access to the student chat, events, and mentorship opportunities.
Who is CHFI for?
Cybersecurity professionals
Advance your career by mastering digital forensics and incident investigation with CHFI
Teams & organizations
Strengthen your team’s ability to investigate, analyze, and respond to cyber incidents with globally recognized certification
Government & military
Trusted by agencies and defense bodies worldwide to build advanced digital forensics and cybercrime investigation capabilities
Educators
Expand your cybersecurity training programs with comprehensive digital forensics expertise
FAQ
What does a C|HFI do?
A Computer Hacking Forensic Investigator (C|HFI) is a professional who interprets digital evidence in the context of computer-related crimes. Their primary responsibilities include conducting in-depth digital forensics investigations and obtaining and archiving electronic evidence from various sources, including computers, networks, and digital devices. Additionally, a C|HFI is essential in processing evidence, drafting reports, and offering cybersecurity advice.
What is the C|HFI?
The C|HFI is a professional certification program for digital forensics and cybersecurity professionals. This ANAB (ANSI) accredited and US DoD-approved program is a lab-intensive program that builds skills to investigate, record, and report cybercrimes to prevent future attacks. It provides a deep understanding of digital forensics and evidence analysis, pivoting around the dark web, IoT, and cloud forensics to professionals, creating leadership opportunities for the future.
Is the C|HFI for beginners?
The C|HFI program, designed for IT/forensics professionals, is open to individuals with a basic understanding of IT/cybersecurity, computer forensics, and incident response.
Is the C|HFI worth getting?
Yes. EC-Council’s C|HFI is a comprehensive certification program with 68 complex labs. It has extensive coverage of digital forensics that offers candidates a practical and holistic approach to cyber threats. EC-Council’s ANAB(ANSI) accredited and US DoD approved C|HFI certification signifies your competencies and skills, conveying to employers that you can be an asset to an organization’s security team.
How much demand is there for the C|HFI?
The C|HFI is highly demanded by professionals who handle and prevent cybercrimes. It equips professionals with all the necessary skills to investigate security threats, aligning with crucial forensic job roles worldwide. Thus, professionals can pursue the C|HFI to enhance their skills and employability. As per Salary Survey Report 75, C|HFI has been ranked as the only digital forensics course in the U.S. with an average six-figure salary.
How long does it take to become a C|HFI?
Enrolling in EC-Council’s C|HFI certification includes a 5-day training, followed by the C|HFI exam. To obtain the certification, you must pass the exam with a 60-85% score.
What does the C|HFI cover?
The C|HFI certification comprehensively covers the aspects of digital forensics and cybersecurity. It includes incident response handling, malware forensics, network forensics, the dark web, and IoT forensics, emphasizing practical applications with 68 hands-on labs, 70+GB crafted evidence files, and more.
Is the C|HFI a hands-on program?
Yes, C|HFI certification is a hands-on program focused on practical learning with a total number of 68 labs for real-world experience. It offers an all–inclusive and methodological approach to various aspects of digital forensics, including the dark web, cloud forensics, and IoT.